SSH command logs
SSH command logs record the commands that users run on infrastructure targets protected by Access for Infrastructure. Use these logs to audit user activity on your SSH servers and investigate specific sessions.
To view SSH command logs, log in to Cloudflare One ↗ and go to Insights > Logs > SSH command logs.
To generate SSH command logs, you must:
- Set up Access for Infrastructure for your SSH servers.
- Enable SSH command logging by uploading an encryption public key. Cloudflare uses this key to encrypt your logs so that only you can read their contents.
SSH command logs displayed in the dashboard are encrypted using the public key you provided during setup. The logs are not readable in the dashboard — you must download and decrypt them locally. To view the contents of the logs:
- In Cloudflare One ↗, go to Insights > Logs > SSH command logs.
- Filter the logs using the name of your SSH application.
- Select the SSH session for which you want to export command logs.
- In the side panel, scroll down to SSH logs and select Download.
- Decrypt the log using the SSH Logging CLI ↗ and the private key that corresponds to the public key you uploaded.
| Field | Description |
|---|---|
| Session ID | Unique identifier for the SSH session. |
| User email | Email address of the user who initiated the SSH session. |
| Target ID | Identifier of the infrastructure target being accessed. Corresponds to the target you configured in Access for Infrastructure. |
| Client address | Source IP address of the SSH connection. |
| Server address | Destination IP address of the SSH server. |
| Session start datetime | Timestamp when the SSH session started. |
| Session finish datetime | Timestamp when the SSH session ended. |
| Program type | Type of SSH program: shell (interactive terminal), exec (single command execution), x11, direct-tcpip, or forwarded-tcpip. Note that x11, direct-tcpip, and forwarded-tcpip correspond to SSH features that are not currently supported by Access for Infrastructure. |
| Payload | Captured request/response data in asciicast v2 ↗ format, a structured terminal recording format. Includes commands for exec programs. |
| Error | SSH error message, if an error occurred during the session. |
Enterprise users can export SSH command logs to external storage or analysis destinations using Logpush. Unlike dashboard logs, Logpush payloads are not encrypted with a customer-provided public key — secure access to your storage destination accordingly.
For a list of all available fields, refer to SSH Logs.